1. Field of the Invention
The present invention relates to the automatic generation of passwords, and more specifically, to an improved method and system for generating a password from a unique mnemonic based on the results of an Internet search.
2. Description of the Background
Today, many products, devices and/or systems rely on passwords to serve as an access control mechanism. Internet sites, telephone systems, and building security systems are just a few examples of devices/systems that require a password for access. One of the security challenges related to these access control mechanisms (collectively referred to as passwords) is the generation of a secure password. The two most common mechanisms for generating passwords are either to automatically generate a random password or to create a one-time password that the user is then asked to modify upon initial login. A randomly generated password, while initially more secure than a user-selected password, is difficult for a user to recall. Consequently, a user often writes the password down or stores it in a computer file so it is available when needed. The recorded password then becomes susceptible to being exposed to a third party. Likewise, a one-time randomly generated password is likely to be replaced by a user-selected password that is cryptographically weak, easily determined, and/or non-unique and shared among multiple systems. Indeed, many individuals use the same password for all or most of their access requirements. The present invention provides more security than prior methods for generating passwords because it generates a memorable password, while ensuring randomness and uniqueness.
Passwords are more memorable if they can be linked to a phrase and committed to memory as a mnemonic. For example, the phrase, “Itsy-bitsy spider crawled up the water spout” can be used to generate the mnemonic password, “IBSCUTWS”. For a phrase to be memorable, it must comply with generally understood and accepted rules of grammar. To ensure that the phrase complies with generally understood rules of grammar, the phrase must be selected from a pre-existing library of grammatically correct phrases.
In the past, various security devices have used small dictionaries to create random passwords. For example, the Diceware™ method picks a pass phrase using dice to select words at random from a preset dictionary list of several thousand terms. Each word in the library is assigned a five digit number comprised of digits between zero and seven. The results of five dice rolls determine the word selected from the library. The user may choose to include any number of words in the pass phrase. The steps of rolling the die five times are repeated as many times as the number of words the user wishes to include in their pass phrase. To illustrate the Diceware method, a user may decide they want a six word pass phrase. They roll a die five times and the outcome of the five dice rolls is a five digit number, e.g., 14562, where “1” is the result of the first roll, “4” is the result of the second roll, etc. This action is repeated six times, each set of five dice rolls corresponding to a word from the library, which then becomes the user's pass phrase, such as “emile grade finale cooke snip nice”. The difficulty with the Diceware algorithm is that the resulting password is not memorable because it is a random grouping of words and not grammatically correct.
U.S. Pat. No. 5,812,764 to Heinz, Sr. discloses a system and method of generating passwords that is shared between two or more devices. While the '764 patent generates passwords between two or more devices, the passwords are cryptographically secure and therefore not easily memorable.
Selecting a password from a library of pre-existing known phrases is a useful mechanism to generate a grammatically correct phrase. However, the library must be extensive enough to minimize the likelihood of two phrases being the same. For example, Leonard Tolstoy's “War and Peace” contains approximately 75,000 sentences. If “War and Peace” is used as the pre-existing library, a duplicate password would appear on average after 37,500 generations. For purposes of comparison, in this example, a four-character password has 457,000 combinations (264).
It would be greatly advantageous to provide a method and system for generating a password from a unique mnemonic based on the results of an Internet search. Using a popular search engine as a reference, the Internet has over 4,000,000,000 unique pages. Assuming each page has, on average, 20 sentences, the Internet has over 80,000,000,000 available sentences from which to derive mnemonics. Moreover, due to the dynamic nature of the Internet, the search results can be expected to change over time. Thus, if a search query is sent to a search engine and the same search query is repeated at a later time, the results will likely be different. For purposes of comparison, a seven character password has 8,000,000,000 combinations (267), which is far greater than the previous “War and Peace” example. This form of password generation system could easily be incorporated into any device that has access to the Internet.